A Note on the Use of Floating Point in Critical Systems

Floating point is widely used in scientific calculations. All the major programming languages support floating point, as does the hardware of most machines. Hence floating point is a well-tried technology which, it might seem, could be used without reservation. Unfortunately, there are dangers in the use of floating point which this note addresses. These dangers arise from faults in implementations, and in incorrect use in ways which are hard to locate. The apparent danger of the use of floating point has been noted in Ref. 18, where its use has been prohibited in safety-critical systems for the Ministry of Defence. This position has probably arisen due to reports in Ref. 23 that tests revealed that two-thirds of floating point units contained serious design flaws. A balance needs to be drawn between the benefits of using floating point and the dangers which do indeed exist. This note is an attempt to make that balance on the basis of current understanding. One must expect the balance to change as a result of better standards for floating point and the availability of hardware which has been formally 'verified'. The reason why there is some danger with floating point is simply its complexity. The complexity of a typical co-processor chip which provides an additional floating point capability for some machines is comparable to that of the main processor. Moreover, since performance is important, there is a temptation to provide systems which operate very quickly,* but are prone to deliver incorrect results. The view taken here, which is that used by those producing safety-critical systems, is that complexity is inherently potentially dangerous. Hence the use of complex components which could have faults must be justified, and steps taken to reduce any inherent risks. Ordinary use of floating point can rely upon industry to produce products of acceptable quality, but when human life depends upon the correctness of the component, special precautions must be taken. Some suppliers of processor chips have attempted to prevent use of their products in safety-critical applications due to the risk of litigation if faults are found. There are also dangers in the use of desk calculators which are similarly complex and hard to validate. The referee reported that his calculator gave incorrect results